diff --git a/states/apt/init.sls b/states/apt/init.sls
index cbd9709..c0e68bd 100644
--- a/states/apt/init.sls
+++ b/states/apt/init.sls
@@ -9,7 +9,7 @@ apt-deps:
 apt-proxy-detect:
   file.managed:
     - name: /usr/local/bin/apt-proxy-detect.py
-    - source: salt://apt/apt.py.j2
+    - source: salt://apt/templates/apt.py.j2
     - template: jinja
     - mode: "0755"
 
diff --git a/states/apt/apt.py.j2 b/states/apt/templates/apt.py.j2
similarity index 100%
rename from states/apt/apt.py.j2
rename to states/apt/templates/apt.py.j2
diff --git a/states/haproxy/defaults.yaml b/states/haproxy/defaults.yaml
index 5fa0835..a8d65fa 100644
--- a/states/haproxy/defaults.yaml
+++ b/states/haproxy/defaults.yaml
@@ -29,14 +29,17 @@ haproxy:
       timeout server: 30m
       timeout check: 5s
     balance: roundrobin
-    check: True
+    check: true
     dir: /etc/haproxy
     configfile: haproxy.cfg
     user: haproxy
     group: haproxy
     http_port: 80
     https_port: 443
-    admin: false
+    capture_length: 200
+    admin:
+      enable: false
+      port: 7000
     api:
       enable: true
       filesocket: /var/run/hap-lb.sock
@@ -73,5 +76,8 @@ haproxy:
       - .js
       - .png
       - .jpg
+    ddos:
+      timeperiod: 10s
+      maxrequests: 200
     vhosts: {}
     services: {}
diff --git a/states/haproxy/templates/haproxy.cfg.j2 b/states/haproxy/templates/haproxy.cfg.j2
index d8f90e5..ec92b70 100644
--- a/states/haproxy/templates/haproxy.cfg.j2
+++ b/states/haproxy/templates/haproxy.cfg.j2
@@ -10,6 +10,10 @@
   http-request return status 200 if { method -i HEAD }
 {%- endmacro -%}
 
+{%- macro statusresponses() -%}
+  http-response return content-type text/html string "404 not found" if { status 404 }
+{%- endmacro -%}
+
 {%- macro serverheader() -%}
   http-response set-header server "{{ haproxy.config.servername }}"
 {%- endmacro -%}
@@ -19,7 +23,7 @@
 
 {%- macro httpendpoints(servers=[], check=True, ssl=False) -%}
   {%- for server in servers %}
-  server {{ server.name }} {{ server.name }}:{{ server.port }}{{ " " + httpcheckrules() if check }}{{ " " + httpsslrules() if ssl }}
+  server {{ server.name }} {{ server.name }}:{{ server.port }}{{ " " + httpcheckrules(inter=server.inter|default("2s"), fall=server.fall|default(5), rise=server.rise|default(5)) if check }}{{ " " + httpsslrules() if ssl }}
   {%- endfor %}
 {%- endmacro -%}
 
@@ -43,10 +47,15 @@
 # Stats
 listen stats
   mode http
-  bind *:7000,:::7000 v4v6
+  bind *:{{ haproxy.config.admin.port }},:::{{ haproxy.config.admin.port }} v4v6
   stats enable
-  stats refresh 5s
+  #stats hide-version
+  stats admin if TRUE
+  #stats refresh 5s
+  stats show-modules
+  stats show-legends
   stats uri /
+  monitor-uri /dead_or_alive
 {%- endmacro -%}
 
 {%- macro api() -%}
@@ -80,33 +89,41 @@ defaults
   {{ key }} {{ value }}
 {%- endfor %}
 
-{%- if haproxy.config.admin %}
+{% if haproxy.config.admin.enable %}
 {{ admin() }}
 {%- endif %}
 
 # Cache
 cache static
-  total-max-size 256
+  total-max-size 64
   max-object-size 50000
   max-age 120
 
 # Per IP rates stick table
 backend per_ip_rates
-  stick-table type string size 1m expire 10s store http_req_rate(10s)
+  stick-table type string size 1m expire {{ haproxy.config.ddos.timeperiod|default("10s") }} store http_req_rate({{ haproxy.config.ddos.timeperiod|default("10s")}})
 
 # Default HTTP frontend
 frontend http
-  bind *:80,:::80 v4v6
+  bind *:{{ haproxy.config.http_port }},:::{{ haproxy.config.http_port }} v4v6
   mode http
   acl http ssl_fc,not
+  acl path_host path /host
+  acl path_date path /date
+  http-request return status 200 content-type text/html lf-string "%H\n" if path_host
+  http-request return status 200 content-type text/html lf-string "%T\n" if path_date
   http-request redirect scheme https if http
 
 # Default HTTPS frontend
 frontend https
-  bind *:443,:::443 v4v6 ssl crt {{ haproxy.config.acme_fullchains_dir }}{% if haproxy.config.http2 %} alpn h2,http/1.1{% endif %}
+  bind *:{{ haproxy.config.https_port }},:::{{ haproxy.config.https_port }} v4v6 ssl crt {{ haproxy.config.acme_fullchains_dir }}{% if haproxy.config.http2 %} alpn h2,http/1.1{% endif %}
+  #bind quic4@*:{{ haproxy.config.https_port }},quic6@:::{{ haproxy.config.https_port }} v4v6 ssl crt {{ haproxy.config.acme_fullchains_dir }}{% if haproxy.config.http2 %} alpn h2,http/1.1{% endif %}
   mode http
   option httplog
   acl internal src -f {{ haproxy.config.dir }}/maps/access
+  acl robots_txt path /robots.txt
+  acl path_host path /host
+  acl path_date path /date
   http-request set-var(req.src) src
   http-request set-var(req.host) req.hdr(host)
   http-request set-var(req.accesshash) str(),concat(,req.src,),concat(-,req.host,)
@@ -115,16 +132,20 @@ frontend https
   http-request capture req.hdr(Content-Type) len 200
   http-request capture req.hdr(Referer) len 200
   http-request capture sc_http_req_rate(0) len 4
-  http-request deny deny_status 429 if { sc_http_req_rate(0) gt 100 } !internal
+  http-request deny deny_status 429 if { sc_http_req_rate(0) gt {{ haproxy.config.ddos.maxrequests|default(200)}} } !internal
+  http-request return status 200 content-type text/html lf-string "%H\n" if path_host
+  http-request return status 200 content-type text/html string "User-agent: *\r\nDisallow: /" if robots_txt
+  http-request return status 200 content-type text/html lf-string "%H\n" if path_host
+  http-request return status 200 content-type text/html lf-string "%T\n" if path_date
   http-request set-header X-Proxy-Id "{{ salt["grains.get"]("host") }}"
   http-request set-header X-Proto https if { ssl_fc }
   log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
-  http-request redirect location %[req.hdr(host),map_dom({{ haproxy.config.dir }}/maps/redirects)] code 301 if { req.hdr(host),map_dom(/etc/haproxy/maps/redirects) -m found }
+  http-request redirect location %[req.hdr(host),map_dom({{ haproxy.config.dir }}/maps/redirects)] code 301 if { req.hdr(host),map_dom({{ haproxy.config.dir }}/maps/redirects) -m found }
   use_backend %[req.hdr(Host),lower,map({{ haproxy.config.dir }}/maps/vhosts,nginx)]
   default_backend nginx
 
 # HTTP Backends
-{% for name, values in haproxy.config.vhosts.items() %}
+{%- for name, values in haproxy.config.vhosts.items() %}
 {%- if not values.redirect|default(False) %}
 backend {{ name }}
   balance {{ values.balance|default(haproxy.config.balance) }}
@@ -136,6 +157,7 @@ backend {{ name }}
   http-check {{ step }}
 {%- endfor %}
 {%- endif %}
+  {{ statusresponses() }}
 {%- if values.head|default(False) %}
   {{ head() }}
 {%- endif %}
@@ -160,13 +182,14 @@ backend {{ name }}
 {% endfor %}
 
 # TCP services
-{% for name, values in haproxy.config.services.items() %}
+{%- for name, values in haproxy.config.services.items() %}
 listen {{ name }}
   bind *:{{ values.port }},:::{{ values.port }} v4v6
   mode tcp
   option tcplog
 {%- if values.type == "postgres" %}
   option pgsql-check user postgres
+  option tcpka
 {%- endif %}
   default-server inter 3s fall 3
   {{- tcpendpoints(servers=values.servers, check=values.check|default(haproxy.config.check)) }}